180. Threat Actors Abuse Legitimate Java Utility to Load Snake Keylogger

Hello everyone!

Even cybercrime actors evolve their techniques and adding DLL side-loading to the arsenal. Recently I spotted Snake Keylogger distributors abuse jsadebugd.exe to sideload a malicious DLL. This case is covered publicly in this report by Lab52.

If we look at VirusTotal, for example, we can see that this legitimate executable was uploaded there with lots of interesting filenames:


It means it's widely abused by threat actors, and it's a good idea to search for renamed executables:

event_type: "processcreatewin"

AND

proc_file_originalfilename: "jsadebugd.exe"

AND NOT

proc_file_name: "jsadebugd.exe"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge